Jump to content

Mailvelope


bowler

Recommended Posts

Hi all.

On the last episode Mubix showed how he can retrieve a persons private key as it was stored in a sqlite db in the clear.

I think it is usually the case that private keys are password protected (or should be). Now in the case that the private key is protected with a lenghty complex password (basically a password generated by a generator) would the private key be of any use to anyone without the associated password that protects it?

Thanks.

Link to comment
Share on other sites

  • 1 month later...
  • 4 weeks later...

Mailvelope is still a good solution on Windows. My only hit on the product was that the developer wasn't using the available encryption in Chrome to encrypt his storage so that an offline attacker couldn't get the keys. And yes your point still holds that if people use a good password then the keys will be useless to the attacker.

Link to comment
Share on other sites

Mailvelope is still a good solution on Windows. My only hit on the product was that the developer wasn't using the available encryption in Chrome to encrypt his storage so that an offline attacker couldn't get the keys. And yes your point still holds that if people use a good password then the keys will be useless to the attacker.

Let's qualify this. (Sorry, but in the security field EVERYTHING needs to be qualified.)

If people use a good password, it will somewhat slowdown the attacker as they will have to brute-force the password before they can make use of the key.

With modern technology it's becoming easier and more affordable to massively parallelize and distribute the job. Even in a strictly brute-force scenario, this is eating away at password security.

Second, thanks in part to the recent disclosures of large quantities of real-world password examples, the techniques for generating password guesses have been improving as well, which drastically cuts down the search space from a pure brute-force attack to fuzzed variations on common patterns. This is also eating away at password security.

You need both a long password, and a password that does not conform closely to a known pattern. Otherwise, like in the rest of the security field, having physical access (or a local copy) makes bypass an inevitable eventuality.

But let's put this in context: It's still a hell of a lot safer than plain text. It might not be impenetrable, but at least you're making them work for it. Even if it just buys you a few days, that could be enough to make all the difference.

Link to comment
Share on other sites

  • 3 weeks later...

This might be a dumb question (my second one today) but, are private keys shared by Chrome if you use Mailvelope? By that I mean, if I mailveloped on my desktop, then logged into a chromebook with my Google password, would my private key be waiting for me there?

If so, isn't that kind of a security risk having your private key stored by Google in the cloud?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...